Week 7 In Review – 2011

Week 7 In Review – 2011

Events Related

Hop Hacking Hedy – cutawaysecurity.com
Although this started as one of my first full-fledged hardware projects, the intent was always to evaluate ways to cheaply assess deployments frequency hopping spread spectrum (FHSS) technologies (please review and I’ll assume you did).

OWASP Summit 2011 Results – diniscruz.blogspot.com
As you can see by the Summit’s highlights, we achieved an amazing amount of work during the 3 days we were together in Portugal!

REcon 2010 slides – djtechnocrat.blogspot.com
RECON is a computer security conference being held in Montreal. The conference offers a single track of presentations over the span of three days. REcon 2010 took place on July 9-11, 2010.

Mallory Webinar Followup – intrepidusgroup.com
First, we would like to thank everyone that attended our Mallory webinar. Mallory is Intrepidus Group’s in-house developed Man in The Middle Tool (MiTM) that we use to test mobile devices and applications.

Resources

2010 Breach Statistics – blog.absolute.com
As you can see from the tally above, 662 breaches were reported for 2010. Those breaches exposed more than 16million records, though if you look closely into the report, you’ll see that quite a number of the breaches are left with a 0 for records reported – numbers may yet be unknown.

Metasploit Unleashed 2011 – offensive-security.com
This past month has seen a number of additions to our free Metasploit Unleashedtraining course, primarily in our on-going effort to build out the Metasploit Module Reference section.

Data Loss Prevention and Internal Threats – tripwire.com
Combine the major players getting into DLP and the rise of Wikileaks, and now everyone is concerned and aware of internal threats and losing their data.

SSDs prove difficult to securely erase – nakedsecurity.sophos.com
At this week’s Usenix FAST 11 conference on File and Storage Technologies in San Jose, California researchers published a paperexamining the effectiveness of different secure erasure methodologies on Solid State Disks (SSDs).

CISSP Domain – Security Architecture and Design – resources.infosecinstitute.com
This article will cover some of the major areas within Security Architecture and Design by looking at: design concepts, hardware architecture, OS and software architecture, security models, modes of operations, and some system evaluation methods, specifically CAP.

IRONBEE: The Open Source Next generation WAF – pentestit.com
Its like building a universal web application firewall in the cloud Open Source Next Generation WAF for the Community! It is a new open source project from Qualys to build a universal web application firewall sensor in the cloud through collective efforts of the community.

Nessus “Exploitable With” Field Updated – blog.tenablesecurity.com
Over the past few months, fields in Nessus reports indicating whether or not an exploit exists for a given vulnerability have continued to evolve.

The Yeti is here – sensepost.com
After several months of dedicated … uh dedication, our new network footprinting tool is being made available to the masses.

Open-SCAP v0.7.0 released – open-scap.org
The OpenSCAP Project was created to provide an open-source framework to the community which enables integration with the Security Content Automation Protocol (SCAP) suite of standards and capabilities.

Yeti – Footprinting Your Network – blog.rootshell.be
“Footprinting” is a technique to gather information about information systems. The goal is to collect as much information as possible and correlate them to build some kind of “business card” of the target.

Episode #134: Never Out of Sorts – blog.commandline.kungfu
I was recently working a case where we had extracted a bunch of date-stamped messages from unallocated space, and we wanted to output them in reverse-chronological order.

The trick to defeating tamper-indicating seals – freedom-to-tinker.com
Even so, when the state stuck a bunch of security seals on their voting machines in October 2008, I found that I could easily defeat them. I sent in a supplement expert report to the Court, explaining how.

HeapLocker: String Detection – blog.didierstevens.com
When you enable string monitoring, HeapLocker will create a new thread to periodically check (every second) newly committed virtual pages that are readable and writable.

Windows O-day SMB mrxsmb.dll vulnerability – vupen.com
A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers or malicious users to cause a denial of service or take complete control of a vulnerable system.

Oracle Passlogix Vulnerability – securityfocus.com
An attacker can exploit this issue to view and execute arbitrary files on the target system. Successful exploits may aid in a compromise of the underlying computer.

Having a Ball with ATM Skimmers – krebsonsecurity.com
On February 8, 2009, a customer at an ATM at a Bank of America branch in Sun Valley, Calif., spotted something that didn’t look quite right about the machine.

Reinventing FedRAMP – novainfosecportal.com
For those that haven’t heard GSA has been quickly pushing the Federal Risk and Authorization Management Program (FedRAMP) out the door with the goal of accrediting common cloud-based solutions that agencies can develop on top of.

ESAPI and the Padding Oracle Attack – owasp.blogspot.com
I originally noticed that the ESAPI symmetric encryption provided no authenticity way back in August 2009 and argued for a very long time with Jim Manico that what was present in ESAPI 1.4 and 2.0rc3 (or maybe it was rc2?) needed to be burned to the ground and replaced, and he agreed.

Attack Can Extract Crypto Keys From Mobile Device Signals – threatpost.com
Many carriers and mobile providers are touting smartphones as the future of secure mobile payment systems, enabling users to pay for purchases with an app on their phones, and this already reality in many parts of Asia and Europe.

OWASP – Has It Reached a Tipping Point? – curphey.com
When I started OWASP nearly a decade ago it was without a plan (or frankly even much thought) but it was with a premonition that the Internet was going to revolutionize the world, web technology would be at the forefront of the revolution and that security would be a critical attribute in the mix.

1 in 10 IT pros have access to accounts from previous jobs – net-security.org
According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users’ electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence.

Leave A Comment

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.